Cloud security firm Wiz has identified a critical vulnerability in the NVIDIA Container Toolkit, identified as CVE-2025-23266 and with a CVSS score of 9.0. The vulnerability, dubbed NVIDIAScape, could pose a serious threat to cloud services that use artificial intelligence and GPU-based containerization.
The bug affects all versions of the NVIDIA Container Toolkit up to and including 1.17.7, as well as NVIDIA GPU Operator up to version 25.3.0. The vulnerability has already been fixed in the new versions 1.17.8 and 25.3.1, respectively.
The issue is related to the use of so-called OCI hooks, designed to initialize containers. One of these hooks, “createContainer,” is misconfigured, allowing an attacker to load a malicious library when the container starts.
The problem is that the hooks run with elevated privileges and in the context of the container’s file system, allowing the attacker to inject code with minimal effort. Wiz researchers pointed out that the attack can be performed with just three lines in the Dockerfile, which set the LD_PRELOAD variable and load the malicious library. As a result, the attacker can not only escape the container, but also take control of the host system.
What’s particularly alarming is that the vulnerability affects approximately 37% of cloud environments using AI. This means that a single compromised container can be used to access data and models from other clients hosted on the same physical servers. The attack could therefore lead to intellectual property theft, workflow disruptions, and denial of service.
Wiz had previously reported two similar issues in the NVIDIA toolkit, CVE-2024-0132 and CVE-2025-23359, both with the potential for full system takeover. The new vulnerability has once again demonstrated the weakness of container isolation mechanisms. According to the team, the exclusive use of containers as a security measure is unacceptable: additional barriers such as virtualization are necessary, especially in multi-tenant infrastructures.
The NVIDIAScape situation raises urgent questions about the resilience of modern infrastructures to attacks, where known and legacy hacking vectors could be more effective than hypothetical AI-based threats. Issues at the level of basic components, such as container hooks, demonstrate that attention to detail and regular updates remain key elements of defense.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
